Millions of data from Microsoft customers have been online unprotected for at least a few days. The incident dates from the end of December.
BinaryEdge, which is looking for data that is leaking online, could find the open databases. Security researcher Bob Diachenko reported the problem to Microsoft.
It concerns a total of five Elasticsearch databases that were discovered on 28 December. It is not known how long they had been public at that time.
Microsoft shielded them again around December 30-31. This concerns data about customers’ contacts with the Microsoft help desk with data dating back to 2005.
The good news is that the most sensitive information, such as contact details and payment information, cannot be read. But part of the data is in plain text and also contains e-mail addresses, IP addresses and a description of the problems discussed.
Even emails from Microsoft’s help desk and internal confidential notes are in the database.
The key question is how long the data was online and whether it was found and viewed by rogue people at that time.
For years, criminals have been trying to scam people with phone calls where they present themselves as Microsoft employees. With information about real contacts with the company, such a scam attempt can become a lot more successful.